SSL erro in Druid batch ingestion with http firehose

Hi All,

We have Druid 0.18.0 version installed as single node, and trying to perform batch load from a http uri(https://<hostname_fqdn>/path/test_file.json)

But Druid is unable to fetch the file URI as it fails with SSL error.

Error: Failed to sample data: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

http uri for file is SSL enabled and we have the certificate for the same, I tried providing the certificate trust-store in following ways but didn’t work.

option1: druid.indexer.runner.javaOpts= -Djavax.net.ssl.trustStrore=/etc/security/truststore_file.jks -Djavax.net.ssl.trustStorePassword=

option2: druid.client.https.trustStorePath=/etc/security/truststore_file.jks

Could you please help with the proper way to mention the certificate for https file URI in Druid configuration

Hey Soumya,

It looks like you may have spelled “trustStore” wrong in “javax.net.ssl.trustStore”. Additionally, make sure it’s provided in the jvm.config for every service.

You might need to specify the options both ways. I’m not 100% sure about this, but I’d try it. For the second way, you might need to include druid.client.https.trustStoreType, druid.client.https.trustStoreAlgorithm, and druid.client.https.trustStorePassword as well.

Hi Gian,

Thank you four reply. I tried both options aftre making corrections suggested. But didn’t work.

Any thoughts?

Hi Soumya,

The issue could be that your truststore is unable to verify the server certificate. In this case, the solution would be to use a truststore which includes Certificate Authorities that can verify the server certificate. You might have better luck using the default truststore provided by jdk, in case you haven’t already tried that.

You could also enable ssl debug logging via the java option: -Djavax.net.debug=ssl to get more information on what could be going wrong.

Thanks,

Atul